Skip to main content

Shopper CVE-2026-47742

| EUVDEUVD-2026-33408 MEDIUM
Missing Authorization (CWE-862)
2026-05-29 GitHub_M GHSA-h4mp-g9c6-xwph
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 29, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 29, 2026 - 19:00 vuln.today
Analysis Generated
May 29, 2026 - 19:00 vuln.today

DescriptionGitHub Advisory

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0.

AnalysisAI

Privilege escalation in shopperlabs/shopper prior to 2.8.0 allows any authenticated admin panel user - regardless of assigned role - to mutate pricing, inventory, SEO metadata, shipping dimensions, and attached media for any product by exploiting missing authorization on Livewire sub-form component store() methods. Because the product ID was accepted as an unlocked public Livewire property, attackers could additionally target arbitrary products by tampering with the wire payload from the client side, not just products they otherwise interact with. No active exploitation confirmed (not in CISA KEV), and no standalone POC code has been published, though the remediation PR diff is publicly available.

Technical ContextAI

Shopper is a Laravel-based headless e-commerce admin panel that uses Livewire, a full-stack component framework that communicates via AJAX-like wire requests containing serialized component state. In Livewire, public PHP properties are two-way synchronized with the client by default - without the #[Locked] attribute, a client can freely rewrite any public property (such as productId) in the wire payload before it is processed server-side. The affected sub-form components (Edit, Inventory, Seo, Shipping, Files under Products/Form/) each exposed a store() method that persisted user-submitted data without calling any authorization gate (i.e., without checking the edit_products permission). The root cause is CWE-862 (Missing Authorization) - the code authenticated the session but never verified the caller's role before allowing state mutation. The CPE cpe:2.3:a:shopperlabs:shopper:*:*:*:*:*:*:*:* with an upper version bound of 2.8.0 covers all affected releases. The PR #511 fix adds the #[Locked] PHP attribute to resource ID properties (locking them server-side against client tampering) and inserts $this->authorize() calls in mutating methods to enforce Laravel permission gates.

RemediationAI

Upgrade shopperlabs/shopper to version 2.8.0 or later - this is the vendor-released patch confirmed by security advisory GHSA-h4mp-g9c6-xwph and implemented in PR #511 (https://github.com/shopperlabs/shopper/pull/511). The fix introduces the Livewire #[Locked] attribute on all resource ID properties to prevent client-side wire payload tampering, and adds $this->authorize() permission gate checks in store() and other mutating methods to enforce role-based access control. If an immediate upgrade to 2.8.0 is not feasible, restrict admin panel access exclusively to fully-trusted, high-privilege accounts as a compensating control - this eliminates the low-privilege escalation vector but does not remediate the underlying missing authorization flaw and may not be operationally acceptable in multi-role deployments. There is no known configuration toggle to disable the vulnerable Livewire components independently of disabling the product editor entirely.

Share

CVE-2026-47742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy